Windows 10: TPM 1.2, Bitlocker, Secure Boot, Recovery question

I have several laptops that are domain joined with Bitloocker policies to encrypt the OS and data drives in place. I have enabled Secure Boot, encrypted the drives and they require a complex pin to start the OS. This all works as expected, however everything I am reading with TPM 1.2, is that if I change the boot order in the bios of the computer, I should be prompted for the Recovery Password. I noticed that this is not the case with TPM 2.0, but my machines are all 1.2 and none of them behave this way, in fact nothing I have done has actually prompted the Recovery Password although I have not tried hammering it yet. Any ideas on why changing the boot order in the Bios is not requiring the Recovery Password to be used to start them machine on TPM 1.2?

:)

 

Query related to using BitLocker and TPM on PC

Hi Robin,



Thank you for writing to Microsoft Community Forums.



I appreciate your interest towards BitLocker and TPM on Windows 10.



We do have a dedicated forum where you should be able to find answers to all your queries related to BitLocker and TPM. Let me help you in pointing towards the right direction, I
would suggest you to post your query on
TechNet forums, where we have support professionals with expertise on BitLocker and TPM to assist you with your query.



Articles for reference:

• BitLocker
  
• Device encryption in Windows 10
  
• BitLocker frequently asked questions (FAQ).
  
• Trusted Platform Module
  

Regards,

Prakhar Khare

Microsoft Community – Moderator

 

Clearing TPM, did not ask for BitLocker Recovery key on system restart


Hi guys,

I know I had been overwhelming here with all my BitLocker and TPM related questions, but hopefully this should be my final concerns.

I have BitLocker full encryption enabled on my HDD.

1. Recently, I had this issue when going to the TPM.msc console and noticed under Status that the TPM is ready for use with reduced functionality This had been resolved by Clearing the TPM in the TPM.MSC console directly. Source: View status, clear, or troubleshoot the TPM (Windows 10) | Microsoft Docs

2. Here is my concern. How come after clearing the TPM and after restarting my laptop, BitLocker did NOT prompt me for my Recovery key? That seemed to be very odd. So in other words, looks like Clearing the TPM did not actually clear the BitLocker Recover key. I dont know.

So by Clearing the TPM, BitLocker will not loose the keys?
It seemed so after Clearing the TPM and rebooting my machine, BitLocker did not ask for a Recovery key.

I also checked to ensure that the key was still intact, and yes it is, by performing the manage-bde C: -protectors -get -type RecoveryPassword command.

In addition, I also checked manage-bde -status and all indicators are fine.

 

BitLocker on Surface Pro 3 not working correctly

Hi JulianSchubert,

Thank you for posting your question in the Microsoft Community

TPM will lock itself out after a few incorrect authentication attempts. These could be due to incorrect PIN entry for BitLocker or incorrect PIN entry for TPM virtual smartcard PIN. For TPM version 1.2, the lockout behavior depends
on individual TPM manufacturer. For TPM 2.0, the specification states that the TPM will enter lockout after 32 incorrect attempts.

To terminate this BitLocker recovery loop, you need to suspend BitLocker within WinRE, I suggest you to follow the below steps.

Step 1:

1. Choose the “Skip this drive” link at the bottom of the page where you are asked to enter the recovery key. You should be presented with a menu that will let you get to a command prompt (The sequence is Advanced
   options -> Troubleshoot -> Advanced options -> Command prompt).
   
2. Once you have a command prompt,
   use the following command to check the BitLocker status of the C: drive:
   manage-bde -status c:
   
3. If the status is returned as locked, you’ll need to use the following command to unlock it using your recovery password:
   manage-bde -unlock c: -rp <your 48-digit recovery password>
   
4. Once the drive is unlocked you'll need to use the following command to suspend protection:
   manage-bde -protectors -disable c:
   
5. Then exit and reboot. The computer should now successfully boot Windows. Once there, use the BitLocker control panel to resume BitLocker protection.
   
6. You can reset TPM lockout using
   tpm.msc
   

Note: The recovery loop can occur for other reasons such as cases where TPM is disabled or malfunctions. You can still use the above steps to suspend BitLocker and boot Windows in such cases

Hope it helps.